aws-azure-login

If your organization uses Azure Active Directory to provide SSO login to the AWS console, then there is no easy way to log in on the command line or to use the AWS CLI. This tool fixes that. It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.

Installation

Windows

Install Node.js v7.6.0 or higher. Then install aws-azure-login with npm:

npm install -g aws-azure-login

Linux

In Linux you can either install for all users or just the current user. In either case, you must first install Node.js v7.6.0 or higher and any puppeteer dependencies. Then follow the appropriate instructions.

Option A: Install for All Users

Install aws-azure-login globally with npm:

sudo npm install -g aws-azure-login --unsafe-perm

Puppeteer doesn't install globally with execution permissions for all users so you'll need to modify them:

Paste the decoded output into the a SAML deflated and encoded XML decoder (like this one).

In the decoded XML output the value of the Issuer tag is the App ID URI.

How It Works

The Azure login page uses JavaScript, which requires a real web browser. To automate this from a command line, aws-azure-login uses Puppeteer, which automates a real Chromium browser. It loads the Azure login page behind the scenes, populates your username and password (and MFA token), parses the SAML assertion, uses the AWS STS AssumeRoleWithSAML API to get temporary credentials, and saves these in the CLI credentials file.

Troubleshooting

The nature of browser automation with Puppeteer means the solution is bit brittle. A minor change on the Microsoft side could break the tool. If something isn't working, you can fall back to GUI mode (above). To debug an issue, you can run in debug mode (--mode debug) to see the GUI while aws-azure-login tries to populate it. You can also have the tool print out more detail on what it is doing to try to do in order to diagnose. aws-azure-login uses the Node debug module to print out debug info. Just set the DEBUG environmental variable to 'aws-azure-login'. On Linux/OS X:

DEBUG=aws-azure-login aws-azure-login

On Windows:

set DEBUG=aws-azure-login
aws-azure-login

Support for Other Authentication Providers

Obviously, this tool only supports Azure AD as an identity provider. However, there is a lot of similarity with how other logins with other providers would work (especially if they are SAML providers). If you are interested in building support for a different provider let me know. It would be great to build a more generic AWS CLI login tool with plugins for the various providers.